Friday, January 30, 2015

RoundUp, Child Pornography and Kyllo

After Jeffrey Feldman was indicted on federal charges of “receiving and possessing child pornography” he filed motions to “compel discovery regarding the computer program (`RoundUp’) used by law enforcement to initially detect the alleged presence of child pornography on his computer” and to suppress “evidence gathered pursuant to a subsequently obtained search warrant”.  U.S. v. Feldman, 2015 WL 248006 (U.S. District Court for the Eastern District of Wisconsin 2015).  
The U.S. District Court Judge who has the case referred the motions to a U.S. Magistrate Judge, who scheduled oral argument on them, but on the “eve of the”
argument the parties notified the Magistrate Judge that they had resolved the case and that the motions would be withdrawn on the filing of a plea agreement. . . . The parties filed a plea agreement on May 8, 2014, and [the U.S. District Court Judge] scheduled a plea hearing for June 13, 2014. However, on May 29, 2014, defense counsel filed a letter indicating [Feldman] was withdrawing from the plea agreement and asking that the motions be set back on the calendar before the Magistrate Judge.
U.S. v. Feldman, supra. On June 2, 2014, the District Court Judge “referred the case” to the Magistrate Judge “for further action on the motions.” U.S. v. Feldman, supra.
The Magistrate Judge found Feldman waived his right to litigate the motions by entering into a plea agreement.  U.S. v. Feldman, supra.  In case the District Court Judge did not agree, the Magistrate Judge denied the motion to compel and recommended that the District Court Judge deny the motion to suppress.” U.S. v. Feldman, supra.  The District Court judge agreed with the Magistrate Judge with regard to the waiver, but addressed Feldman’s arguments to get a decision on the merits in the record, in case Feldman appealed. U.S. v. Feldman, supra. 
He began with the motion to suppress, noting that the first issue was whether the
affidavit provided the issuing magistrate with a “substantial basis” to find probable cause. U.S. v. Koerth, 312 F.3d 862 (U.S. Court of Appeals for the 7th Circuit 2002) (citing Illinois v. Gates, 462 U.S. 213 (1983)). Probable cause is far short of certainty; it requires only a probability or substantial chance of criminal activity, not an actual showing of such activity or even a probability that exceeds 50 percent. U.S. v. Seiver, 692 F.3d 774 (U.S. Court of Appeals for the 7th Circuit 2012). Determining whether probable cause exists requires a common-sense analysis of the facts available to the judicial officer who issued the warrant.
U.S. v. Feldman, supra. 
The District Court Judge began by explaining that the warrant in this case was based on
the January 22, 2013, affidavit of FBI Special Agent Brett Banner. . . . Banner set forth the following information specific to this case.

Between June 10, 2012, and July 23, 2012, an FBI online covert employee (`OCE’) conducted numerous online investigations to identify individuals possessing and sharing child pornography using the eDonkey and KAD peer-to-peer . . . networks. The OCE used a P2P file sharing program, which scanned both networks simultaneously and has been enhanced to ensure downloads occur only from a single selected source. . . .

During those investigations, the OCE searched for suspected child pornography files and identified a particular IP address on the KAD network which had suspected child pornography files available for distribution. Specifically, this IP address responded to the OCE's queries for 17 suspected child pornography hash values. . . .

Banner averred that during the dates listed, the target IP address was registered to Time Warner/Road Runner and assigned to a physical address in Milwaukee, Wisconsin. . . . On September 6, 2012, the . . . suspected child pornography hashes were submitted to the National Center for Missing and Exploited Children (`NCMEC’) for preliminary identification. NCMEC advised that five of them `matched known child pornography victims. . . .’ The affidavit then specifically described two of those files. . . . Banner averred that the `remaining hashes were identified as “Recognized,” which meant they had been previously submitted to NCMEC as suspected child pornography by law enforcement.’ . . .

[T]he OCE attempted without success to conduct single source downloads of the suspected child pornography from the target IP address. The OCE noted that the IP address had been given a `low ID’ designation on the KAD network, which, for technical reasons, may have prevented the single source download. . . .

On September 7, 2012, Time Warner responded to a subpoena requesting subscriber information for the target IP address, identifying [Feldman] at a physical address in West Allis, Wisconsin. . . . On September 13, agents went to the physical address to conduct surveillance and determine if there was a wireless connection that could be associated with this residence. A check of the available wireless connections revealed there were several secured wireless connection points that could be associated with the residence. There were no unsecured wireless connection points found at this location, indicating that the suspect's wireless connection was secured. . . . On December 6, 2012, Banner viewed a law enforcement commercial data base and learned [Feldman] had lived at the West Allis address since 1997. . . . State records revealed [he] had vehicles registered to him at this address. . . .

Based on these facts, Banner averred there was probable cause to believe evidence of violations of 18 U.S. Code § 2252A was located at [Feldman’s] West Allis residence. . . . Magistrate Judge Callahan issued the warrant on January 22.
U.S. v. Feldman, supra. 
The judge found that “Banner's affidavit supplied a substantial basis for a finding of probable cause”, given the facts outlined above, the fact that the OCE identified the images at issue by their hash values and the fact that “[c]ourts have found hash values sufficiently reliable, even in the absence of a direct download.”  U.S. v. Feldman, supra.  He also relied on the fact that the FBI agents “confirmed that the hash values matched known child pornography by submitting them to NCMEC and viewing two of the files associated with the hash values, providing a detailed description of those two files.” U.S. v. Feldman, supra. 
The judge goes on to explain that in objecting to the Magistrate Judge’s ruling, Feldman
contends that no court has found that a target computer responding to hash value queries, without some further corroboration that the target computer likely contains child pornography, is sufficient to establish probable cause for a search warrant. He points to my decision in U.S. v. Case, where I indicated, in response to the defendant's complaint about the use of an automated law enforcement program, `This is not a situation where a computer program downloaded material believed to be contraband (based on, say, a keyword search or hash values) and no human being looked at the material before a warrant was sought.’ U.S. v. Thomas, 2014 U.S. Dist. LEXIS 34460 (U.S. District Court for the Eastern District of Wisconsin 2014).

In this case, the agents did not rely on the target computer's response to the hash value query alone; they submitted the hash values to the NCMEC for confirmation, viewed two of the offered files, and provided the magistrate judge with a detailed description of the contents of those two files. [Feldman] attempts to distinguish U.S. v. Thomas, supra, arguing that unlike in his case the officers there physically examined the images associated with the identified hash values. As discussed above, the instant warrant application, fairly read, establishes the same. In any event, [Feldman] concedes that the odds of two different files having the same hash value are infinitesimal.
U.S. v. Feldman, supra. 
Feldman also argued that “[u]nlike the program used in U.S. v. Thomas, supra,”
RoundUp has the ability to infiltrate private spaces on the target computer. He offers no evidence of that. While the affidavit from his expert references remote `tagging,’ he makes no claim that such tagging occurred in his case. Nor does the affidavit affirmatively contend that the program invades non-shared space to search for evidence. (See R. 25–1 at 6 ¶ 22 -- `It can't be confirmed if the software has access to, or writes information in other non-shared areas of the remote client.’) Relying on his expert, [Feldman] further contends that it may be possible for hash values to be present on a computer without the computer having any significant portion of the file present on it (like having the table of contents of a book without having any of the chapters). But this possibility does not defeat probable cause, which requires only a substantial chance that a search will turn up evidence of criminal activity.’

As the U.S. v. Miknevich, 638 F.3d (U.S. Court of Appeals for the 3rd Circuit 2011) court stated:

`We recognize that file names are not always a definitive indication of actual file content and, therefore, only after downloading and viewing a particular file can one know with certainty whether the content of the file is consistent with its designated name. However, certainty has no part in a probable cause analysis. On the contrary, probable cause requires only a probability or substantial chance of criminal activity, not an actual showing of such activity.’
 U.S. v. Miknevich, supra (internal citations and quote marks omitted).
The District Court Judge noted that Feldman did not claim that the Magistrate Judge
simply rubber stamped the application; he cites no case finding a materially similar application insufficient; and he makes no effort to show that the affidavit was so plainly deficient that any reasonably well-trained officer would have known that it failed to establish probable cause. Instead, he argues that good faith does not apply because the affiant was dishonest or reckless.
U.S. v. Feldman, supra. 
The judge goes on to explain that Feldman pointed to
no false statements in or material omissions from the affidavit. Instead, he argues that RoundUp exploits known weaknesses in the P2P program and is able to locate information (including hash histories) deleted or moved so as to prevent file sharing. In support of this claim, he cites an article which states that, `the exact extent to which can [sic] investigators can exploit a network protocol to gather information remotely is unsettled law.’ . . . He contends that the `phrase “exploiting a network protocol” is just techno-babble for writing a program that invades an otherwise non-shared portion of a computer.’ . . . He concludes that the government essentially developed a virus that allowed it to access all of the data on a P2P user's computer, which it failed to disclose to the issuing magistrate. . . . ([citing record pages in which Feldman claimed] that the `developers of RoundUp themselves have stated that it exploits weaknesses in peer-to-peer networks and that the exploitation of those weaknesses may violate Kyllo’).
U.S. v. Feldman, supra. 
As Wikipedia explains, in Kyllo v. U.S., 533 U.S. 27 (2001), the U.S. Supreme Court held that when "the Government uses a device that is not in general public use, to explore details of a private home that would previously have been unknowable without physical intrusion, the surveillance is a 4th Amendment `search,’ and is presumptively unreasonable without a warrant.” Kyllo v. U.S. supra
Finally, the District Court Judge pointed out that Feldman
presents no evidence that RoundUp does what he claims, much less that it did so in this investigation. . . . [T]here is no support for these claims in the articles submitted. . . . For instance, the article [he] cites in his objections discusses digital forensics in general; it says nothing about RoundUp in particular. Further, the authors of this article clearly state that pre-warrant evidence must be in plain view, which in this context would mean the shared portion of the computer, in order for it to be used. . . . Defendant presents no non-speculative basis for holding a hearing, either to explore the legality of the government's pre-warrant investigation or the veracity of the affiant. . . .
U.S. v. Feldman, supra. 
For “these and other reasons”, the District Court Judge denied Feldman’s motion to suppress.  U.S. v. Feldman, supra.  

Wednesday, January 28, 2015

The "Electronic Data Files," the British Authorities and the 4th Amendment

After “Paul Robert Gunter [was] convicted and sentenced on multiple counts related to two international investment fraud schemes”, he appealed.  U.S. v. Odoni, 2015 WL 150740 (U.S. Court of Appeals for the 11th Circuit 2015).  The case is captioned “U.S. v. Odoni” because Odoni and Gunter were both convicted on the same charges after a joint trial.  U.S. Odoni, supra.  Since they raised different issues on appeal, the court divided its opinion into two sections, addressing each in a separate section.
You can, if you are interested, read about the facts that led to the prosecutions at issue in this opinion in the news stories you can find here and here. 
The Court of Appeals began its analysis of Gunter’s appeal by explaining that he
provided escrow services and managed bank accounts in connection with the two investment-fraud schemes. He raises two issues on appeal. The only issue that warrants discussion is whether the district court erred in denying Gunter's motion to suppress electronic evidence (and the fruits thereof), which the United States received directly from the United Kingdom's Serious Fraud Office (SFO) in connection with an ongoing international investigation into the fraud schemes, and then searched without obtaining a warrant.
U.S. v. Odoni, supra.
The court begins its consideration of Gunter’s appeal by noting that the
only issue that warrants discussion is whether the district court erred in denying Gunter's motion to suppress electronic evidence (and the fruits thereof), which the United States received directly from the United Kingdom's Serious Fraud Office (SFO) in connection with an ongoing international investigation into the fraud schemes, and then searched without obtaining a warrant.
U.S. v. Odoni, supra.
It goes on to explain that on April 13, 2007, Gunter arrived at Gatwick Airport,
an international airport south of London. He was arrested because he was on the British `wanted on all ports’ list. After he was arrested, Gunter was taken to Crowley police station, where he was detained overnight, and then interviewed the following morning by Paul Cook, a police officer with the Norfolk Constabulary Fraud Squad. Cook also took six items that were seized from Gunter when he was arrested: two mobile phones, a laptop computer, a thumb drive, some photo CDs, and a camera.

Cook took the six seized items back to his office and placed them in the Norfolk Constabulary's exhibit store. With regard to Gunter's thumb drive, Cook did not personally analyze its contents because `[t]he procedure in England is that an item of that description would be sealed in a bag and it would only be opened or examined by a specialist’ -- that is, a computer expert from the SFO. Once the thumb drive reached the SFO computer expert, that expert `would examine . . . and copy it.’ On June 4, 2007, Cook delivered the seized evidence to the SFO in London.
U.S. v. Odoni, supra.
What came next provided the basis of Gunter’s motion to suppress:
On September 7, 2007, Assistant IT Forensic Investigator Peter Littler, who worked in the Digital Forensic Unit at the SFO and had three years of experience working with networked and personal computers, signed out Gunter's laptop computer and thumb drive from the SFO's Exhibits and Records Office and created image copies of them. Although Littler did not testify at trial, the record contains a signed witness statement from him. In his statement, Littler explained that `[d]uring analysis [of the laptop computer] the date/time of the computer settings was found to be incorrect.’ Littler also stated he compiled `[c]ase notes (hard copy and electronic) . . .  during the analytical process,’ which he `held for production if required.’ Following Investigator Littler's imaging and analysis, the SFO shared the forensic images with the City of London Police, who were investigating a related fraud scheme.

On November 1, 2007, Senior Special Agent Anthony Cerreta (SSA Cerreta) of the U.S. Department of Homeland Security, Bureau of Customs and Border Protection, received image copies of the data files from Gunter's laptop and thumb drive directly from the British authorities, which he inventoried as `CD R (From memory Stick)’ and `DVD R (From Laptop).’ On November 9, 2007, Special Agent M. Anthony Magos (SA Magos) of the U.S. Secret Service also received images of the seized data files directly from the City of London Police, also in the form of a CD–R and a DVD–R, which he inventoried as well. Federal agents began reviewing Gunter's data files -- at least, the thumb drive -- in late 2007 without a search warrant.

On March 12, 2008, SA Magos applied for a warrant to search Gunter's business premises in the United States. On that same day, SSA Cerreta applied for a warrant to search Gunter's Online Quick Books Account. The affidavits submitted in support of the search warrant applications discussed evidence from Gunter's laptop computer and thumb drive.
On March 13, 2008, Gunter was arrested and a federal grand jury subsequently returned a superseding indictment charging him with numerous counts related to the investment fraud schemes.
U.S. v. Odoni, supra.
The Court of Appeals goes on to explain that on August 3, 2010, Gunter
moved to suppress all items seized from him by British authorities in April 2007, and thereafter searched by U.S. law enforcement agents without a warrant. Gunter argued that the 4th Amendment required the U.S. agents to obtain a warrant before searching his electronic data files, even if the files were lawfully seized in the United Kingdom and provided to U.S. officials by British authorities. Gunter also requested an evidentiary hearing to determine whether all the evidence seized pursuant to the March 2008 search warrants should be excluded as fruit of the poisonous tree.

The district court denied Gunter's motion without requiring a response from the Government and without holding an evidentiary hearing. The district court concluded even if Gunter's factual allegations were true, suppression of the evidence was not warranted. The court reasoned that the 4th Amendment does not apply to searches and seizures made by foreign authorities enforcing foreign law in their own country.
U.S. v. Odoni, supra.
When the court denied his motion to suppress, went to trial and was convicted of
one count of conspiracy to commit mail and wire fraud, in violation of 18 U.S.C. § 1349; one count of conspiracy to commit wire fraud, in violation of 18 U.S.C. § 1349; one count of conspiracy to commit money laundering, in violation of 18 U.S.C. § 1956; thirteen counts of engaging in illegal monetary transactions, in violation of 18 U.S.C. § 1957; ten counts of mail fraud, in violation of 18 U.S.C. § 1341; and nine counts of wire fraud, in violation of 18 U.S.C. § 1343. Gunter was sentenced to a total of 300 months' imprisonment.
U.S. v. Odoni, supra.
As noted above, Gunter argued, in his motion to suppress, that he had a
reasonable expectation of privacy in the electronic data files seized from him by British authorities in the United Kingdom and thereafter provided to the United States. Accordingly, U.S. officials allegedly violated the 4th Amendment when they examined his files without a warrant.
U.S. v. Odoni, supra.
The Court of Appeals then explained that the 4th Amendment prohibits
unreasonable searches and seizures. U.S. Const. amend. IV. `A “search” occurs when an expectation of privacy that society is prepared to consider reasonable is infringed.’ U.S.v. Jacobsen, 466 U.S. 109 (1984). `A “seizure” of property occurs when there is some meaningful interference with an individual's possessory interests in that property.’ U.S. v. Jacobsen, supra. Searches and seizures implicate two distinct interests: a privacy interest affected by a search, and a possessory interest affected by a seizure. See U.S. v. Jacobsen, supra. We therefore must analyze the search and the seizure separately, keeping in mind that the fact that police have lawfully come into possession of an item does not necessarily mean they are entitled to search that item without a warrant. See Walter v. U.S., 447 U.S. 649 (1980) (`The fact that FBI agents were lawfully in possession of the boxes of film did not give them authority to search their contents’).

Gunter does not challenge the seizure of his belongings by British authorities, as the 4th Amendment exclusionary rule does not apply to searches and seizures conducted by foreign officials on foreign soil. U.S. v. Morrow, 537 F.2d 120 (U.S. Court of Appeals for the 5th Circuit 1976) (`The reasoning usually tendered in support of this limitation [on the exclusionary rule] is the doubtful deterrent effect on foreign police practices that will follow from a punitive exclusion of the evidence in question by an American court’); see also U.S. v. Janis, 428 U.S. 433, 455 n.31 (1976) (`[T]he exclusionary rule, as a deterrent sanction, is not applicable where a private party or a foreign government commits the offending act.’). The 4th Amendment exclusionary rule does . . . apply to searches and seizures conducted by U.S. state and federal officials. See generally Mapp v. Ohio, 367 U.S. 643 (1961). Consequently, Gunter contests only the search of his data files conducted in the United States by U.S. officials.
U.S. v. Odoni, supra.
The Court of Appeals then explained that to prove the search of his data files violated the 4th Amendment, Gunter had to show he had an
objectively reasonable expectation of privacy in the data files when United States agents examined them. U.S. v. Segura–Baltazar, 448 F.3d 1281 (U.S. Court of Appeals for the 11th Circuit 2006). An objectively reasonable expectation of privacy is one that society is prepared to recognize as reasonable. U.S. v. Segura–Baltazar, supra. An individual does not have a reasonable expectation of privacy in an object to the extent the object has been searched by a private party. See U.S. v. Jacobsen, supra. In Jacobsen, the Supreme Court considered a case in which Fedex employees inspected a damaged package and discovered a tube containing a series of plastic bags, the innermost of which was filled with white powder.  The employees called the Drug Enforcement Agency.  When the first DEA agent arrived, he removed the tube from the box and took the plastic bags out of the tube.  The Supreme Court held the agent's warrantless search was constitutional to the extent it simply replicated the prior private search. The Court reasoned the officer's acts `enabled [him] to learn nothing that had not previously been learned during the private search,’ and `[t]he agent's viewing of what a private party had freely made available for his inspection did not violate the Fourth Amendment.’

Although the third party who conducted the prior search in Jacobsen was a private actor, the reasoning in Jacobsen applies with equal force when the third party who conducts the prior search is a foreign governmental official. The 4th Amendment generally does not apply to the actions of foreign officials enforcing foreign law in a foreign country just as it does not apply to the actions of private parties. And, in both cases, an entity other than a U.S. state or federal agent or official has already examined the object and its contents and therefore eliminated the individual's reasonable expectation of privacy in the contents. See U.S. v. Jacobsen, supra (`Once frustration of the original expectation of privacy occurs, the 4th Amendment does not prohibit governmental use of the now-nonprivate information.). As a result, agents of the Government do not violate the 4th Amendment when they replicate a prior search without a warrant.

To the extent British officials searched Gunter's data files before sending them to Agents Cerreta and Magos, Gunter had no reasonable expectation of privacy in the files when the U.S. agents examined them. Without a reasonable expectation of privacy in the data files, Gunter cannot claim the protection of the 4th Amendment.
U.S. v. Odoni, supra.
Gunter, though, claimed that
there is no evidence in the record that the British authorities searched his data files (i.e., actually opened and looked at them) after seizing them. We disagree. After a thorough review of the record, we are convinced British authorities searched Gunter's electronic data files before sending them to the United States. We reach this conclusion based on the intensity of the SFO's investigation, its pattern of inspecting all seized evidence, Investigator Littler's witness statement, and the totality of the record. . . .

The SFO, the agency in charge of the investigation, expended great effort to gather evidence of the fraud scheme in which Gunter participated. The SFO undertook fifteen searches on the same day in different locations throughout the UK; sought and obtained international assistance; traveled to Spain twice to investigate; and participated in searches carried out in Spain. Throughout the course of its investigation, the SFO repeatedly searched any evidence it discovered or received. . . . SFO investigators also analyzed the approximately fifty computers and numerous boxes of documents seized in Spain in November 2006.

In addition, British officials seized six items in total from Gunter, including two cell phones, but only provided the United States and the City of London Police with image copies of two of the items: Gunter's laptop and his thumb drive. This suggests the British officials reviewed all of the seized items and then determined the other electronic devices -- the cell phones, the CDs, and the camera -- did not relate to the fraud, while the laptop and thumb drive did.

The record also leads to the conclusion that Littler not only copied, but examined, the thumb drive and laptop computer. Littler's signed witness statement says he discovered an error on the date and time of the laptop computer settings `[d]uring analysis.’

Moreover, trial testimony established that the routine procedure in the UK for handling electronic evidence, like the thumb drive, is for a forensic analyst at the SFO, such as Littler, to both `examine the [electronic material] and copy it.’ Nothing in the record suggests Littler deviated from this protocol.

In short, given the intensity of the SFO's investigation, its pattern of inspecting all seized evidence, Littler's witness statement, and the totality of the record, we are convinced British officials reviewed Gunter's data files before sending them to the United States. As a result, Gunter had no reasonable expectation of privacy in the files when the U.S. officials examined them. Under the circumstances of this case, the district court did not err by denying Gunter's motion to suppress.
U.S. v. Odoni, supra.
For these and other reasons, the Court of Appeals affirmed Gunter’s conviction and sentence.  U.S. v. Odoni, supra. 

Monday, January 26, 2015

Computers, Child Pornography and Forfeiture

Federal authorities indicted Justin Paul Gladding on two counts
related to his possession of child pornography: Count 1: Receipt or Distribution of a Visual Depiction of a Minor Engaged in Sexually Explicit Conduct in violation of 18 U.S. Code §2252(a)(2); and Count 2: Possession of One or More Matters Containing VisualDepiction of Minors Engaged in Sexually Explicit Conduct in violationof 18 U.S. Code § 2252(a)(4)(B). The indictment included allegations that Gladding's electronic storage devices, including three computers and other hard drives, were subject to forfeiture under 18 U.S. Code § 2253 because they contained child pornography.
U.S. v. Gladding, 2014 WL 7399113 (U.S. Court of Appeals for the 9th Circuit 2014).
Gladding pled guilty to Count One of the indictment and
did not dispute that his electronic storage devices were forfeit, but he asked the government to return copies of certain noncontraband computer files on those devices.

According to Gladding, there were thousands of pictures of his family and personal emails on the devices that he wanted returned. At the change of plea hearing, the government agreed to give copies of those files to Gladding. But, in the following weeks, negotiations between Gladding and the government apparently broke down.

In response, Gladding filed his first motion to return the noncontraband computer files under Federal Rule of Criminal Procedure 41(g). The court addressed that motion at Gladding's sentencing hearing. Without specifically granting the motion, the court directed the parties to work together to determine which noncontraband files Gladding wanted and asked the government to provide copies of those files to Gladding. The court then entered a forfeiture order that stated: `The Preliminary Order of Forfeiture is made final as to contraband items only. If counsel can not resolve the motion for return of property[,] defense counsel may renew a motion for a return of property.’

The parties were again unable to agree on how to return the noncontraband files to Gladding, and Gladding filed a second Rule 41(g) motion. The government attached three exhibits to its opposition brief: (1) a document listing some of Gladding's property the government found to be noncontraband; (2) email correspondence between counsel; and (3) the transcript of a hearing on a similar dispute in a different case. None of the exhibits established the burden or cost to the government of segregating contraband from noncontraband computer files.
U.S. v. Gladding, supra.
As the Court of Appeals went on to explain, the District Court Judge who had the case held “three separate hearings” on Gladding’s Rule 41 motion. U.S. v. Gladding, supra.
At the first and second hearings, the government represented it would be difficult and costly to segregate Gladding's noncontraband files from the files containing child pornography. The district court asked the parties at those hearings to meet and confer to resolve the dispute, and suggested at the second hearing that the court would deny Gladding's motion should the parties be unable to resolve the dispute.

At the third hearing, the district court denied Gladding's motion, stating `I'm satisfied at least from the representations made to me, that it's almost impossible to separate [the noncontraband files] out in a coherent manner.’ Gladding appealed that decision. While the appeal was pending, the government granted Gladding's expert access to the forfeited electronic storage devices, and Gladding's expert was able to obtain a large number of Gladding's noncontraband files. Gladding maintains that there are still other noncontraband files the government is obligated to turn over.
U.S. v. Gladding, supra.
The Court of Appeals began its analysis of Gladding’s arguments by noting that
[w]e review de novo a district court's denial of a motion for return of property under Rule 41(g) of the Federal Rules of Criminal Procedure. U.S. v. Harrell, 530 F.3d 1051 (U.S. Court of Appeals for the 9th Circuit 2008). We review the district court's underlying factual findings for clear error. U.S. v. Harrell, supra.
U.S. v. Gladding, supra.
It then outlined how courts analyze challenges to a U.S. District Court’s denial of a motion for return of property under Rule 41(g).  U.S. v. Gladding, supra.
`A person aggrieved . . . by the deprivation of property may move for the property's return.’ Rule 41(g). The burden of proof on a Rule 41(g) motion depends on when the defendant files the motion. `When a motion for return of property is made before an indictment is filed (but a criminal investigation is pending), the movant bears the burden of proving both that the [property's] seizure was illegal and that he or she is entitled to lawful possession of the property.’ U.S. v. Martinson, 809 F.2d 1364 (U.S. Court of Appeals for the 9th Circuit 1987). . . .  

But that burden of proof changes when `the property in question is no longer needed for evidentiary purposes, either because trial is complete, the defendant has pleaded guilty, or ... the government has abandoned its investigation.’ U.S. v. Martinson, supra. Then, the burden of proof shifts and the defendant `is presumed to have a right to [the property's] return, and the government has the burden of demonstrating that it has a legitimate reason to retain the property.’ U.S. v. Martinson, supra; see also U.S. v. Kriesel, 720 F.3d 1137 (U.S. Court of Appeals for the 9th Circuit 2013) (a defendant’s Rule 41(g) motion should presumptively be granted if the government no longer needs the property for evidence’) (internal quotation marks and citation omitted)).
U.S. v. Gladding, supra. The court goes on to explain that the government can
rebut the presumption that property ought to be returned by proving a `legitimate reason’ for retaining the property that is `reasonable [ ] under all of the circumstances.’ U.S. v. Kriesel, supra; see also U.S. v. Kaczynski, 416 F.3d 971 (U.S. Court of Appeals for the 9th Circuit 2005) `“[T]he government has the burden of showing that it has a legitimate reason to retain the property’); Ramsden v. U.S., 2 F.3d 322 (U.S. Court of Appeals for the 9th Circuit 1993) (`reasonableness under all of the circumstances must be the test when a person seeks to obtain the return of property’). . .

The Advisory Committee's Note to Rule 41, to which we give `weight in interpreting the Federal Rules of Criminal Procedure,’ U.S. v. Bainbridge, 746 F.3d 943 (U.S. Court of Appeals for the 9th Circuit 2014), confirms the `reasonableness’ standard applies to the return of computer files on electronic storage devices, see Fed.R.Crim.P. 41 , Advisory Committee's Note to 2009 Amendment (`Rule 41(g) . . .  provides a process for the “person aggrieved” to seek an order from the court for a return of the property, including storage media or electronically stored information, under reasonable circumstances’).

The simplest way for the government to carry its burden is to prove `the property . . . is contraband or subject to forfeiture.’ U.S. v. Martinson, supra; see also U.S. v. Fitzen, 80 F.3d 387 (U.S. Court of Appeals for the 9th Circuit 1996) (`It is well-settled that the federal government may defeat a Rule [41(g) ] motion by demonstrating that the property is subject to federal forfeiture’).

To that end, district courts must receive evidence on any factual issue necessary to decide the motion.’ Federal Rule of Criminal Procedure 41(g). The government can therefore carry its burden by submitting evidence that demonstrates the property is contraband or the property falls within the court's forfeiture order. See, e.g., U.S. v. Harrell, supra. But showing the property is contraband or forfeit is not the only way the government can justify retaining the property; the government can otherwise retain property if it can show a `legitimate reason’ for doing so. See, e.g., U.S. v. Kriesel, supra (government's retention of the defendant's blood sample was `reasonable under the circumstances’ because the government needed the sample to ensure the accuracy of future DNA identifications).
U.S. v. Gladding, supra.
The Court of Appeals goes on to explain that Gladding filed his Rule 41(g) motion
after he pleaded guilty and the government no longer needed his property as evidence. The burden of proof was therefore on the government. U.S. v. Kriesel, supra. The district court did not expressly state whether Gladding or the government had the burden of proof on the motion. However, the parties impliedly concede the court put the burden on Gladding. And the district court's brief analysis denying Gladding's motion sheds light as to whom the district court thought should bear the burden of proof.

The district court denied Gladding's motion because it was `satisfied’ by the government's `representations’ that it is `almost impossible to separate [the noncontraband files] out.’ But representations are not evidence, unless adopted by the opponent. The government failed to submit any evidence of the difficulty and cost of segregating Gladding's data, which it claimed was a `legitimate reason’ for retention of the noncontraband files. For that reason, the government could not have carried its burden of proof had the district court correctly placed it on the government. The district court's decision not to put the burden of proof on the government was legal error. We remand for the court to apply the correct burden in the first instance. See U.S. v. Martinson, supra.
U.S. v. Gladding, supra.
It also pointed out that
[w]e think it may be helpful to provide the district court guidance on remand, as we have not articulated the contours of a Rule 41(g) motion in the context of intermingled computer files. At oral argument, the government narrowed the issues to be considered in this case by admitting the files Gladding seeks are neither contraband nor subject to forfeiture. In the government's view, the district court's forfeiture order did not cover Gladding's noncontraband files even though those files were intermingled with files containing child pornography.

As some files are neither contraband nor forfeit, the government can retain the noncontraband files only if the government shows a `legitimate reason’ for doing so `that is reasonable under all of the circumstances.’ U.S. v. Kriesel, supra.

We have noted the `spirit of [Rule 41(g)] is one of compromise’ that `recognizes that reasonable accommodations might protect both the law enforcement interests of the United States and the property rights of property owners.’ U.S. v. Ramsden, 2 F.3d 322 (U.S. Court of Appeals for the 9th Circuit 1993) (quoting Federal Rule of Criminal Procedure 41, Advisory Committee's Note to 1989 Amendment).

The government's primary objection to returning Gladding's noncontraband files is the cost of segregating those files from the files containing child pornography. The Advisory Committee's Note to Rule 41 confirms the difficulties posed by electronic data in this context: `A substantial amount of time can be involved in the forensic imaging and review of information. This is due to the sheer size of the storage capacity of media, difficulties created by encryption and booby traps, and the workload of the computer labs.’ Fed.R.Crim.P. 41, Advisory Committee's Note to 2009 Amendment.

The difficulty and cost of segregating the data can therefore be a `legitimate reason’ for the government to retain Gladding's property. If the parties dispute the cost of segregating data, they should submit supporting evidence and the district court may hold an evidentiary hearing to resolve that dispute. The district court should deny Gladding's motion if the government has carried its burden of proof by producing evidence which preponderates to show the government's cost concerns are `reasonable under all of the circumstances. See U.S. v. Kriesel, supra.
U.S. v. Gladding, supra.
Finally, the Court of Appeals explained that the U.S. District Court Judge could 
also order alternative measures for returning Gladding's noncontraband files other than forcing the government to pay for segregating the data itself. . . .

For example, the district court can require Gladding to pay the costs of segregation by having his expert review the electronic storage devices and copy the noncontraband files to the extent otherwise permitted by law. Indeed, Gladding already had an expert review the storage devices while this appeal was pending.

The district court may decide to order the government to provide a printed directory of the electronic storage devices. A directory could assist Gladding in better identifying which files he wants returned or which folders potentially contain noncontraband material. Such a remedy may have the effect of substantially reducing the government's costs in identifying noncontraband files to return to Gladding. And counsel for Gladding suggested at oral argument that a printed directory would go a long way toward resolving this dispute.

We of course do not mean to require the district court to adopt any or all of our suggestions; nor do we mean to preclude the district court from ordering other remedies. In cases such as this, the district court is in the best position to fashion a remedy, `taking into account the time needed to image and search the data and any prejudice to the aggrieved party.’ Federal Rule of Criminal Procedure 41, Advisory Committee's Note to 2009 Amendment.
U.S. v. Gladding, supra.
It therefore reversed   the U.S. District Court Judge’s order “denying Gladding’s Rule 41(g) motion” and remanded the case to the District Court “for proceedings consistent with this opinion.” U.S. v. Gladding, supra.
You can, if you are interested, read more about the prosecution of Gladding in the news stories you can find here and here.

Friday, January 23, 2015

Child pornography, Jurisdiction and the Municipal Police Departments

As Wikipedia explains, territorial jurisdiction
in United States law refers to a court's power over events and persons within the bounds of a particular geographic territory. If a court does not have territorial jurisdiction over the events or persons within it, then the court cannot bind the defendant to an obligation or adjudicate any rights involving them. 
Territorial jurisdiction was at issue in Knight v. State, 2014 WL 7243139 (Florida Court of Appeals for the First District 2014). John Gordon Knight “entered a negotiated plea of no contest to two counts of possession of child pornography while reserving the right to appeal” the trial judge’s denial of his motion to suppress certain evidence.  Knight v. State, supra.  
As the Court of Appeals notes,
[p]ursuant to the plea agreement, [Knight] was adjudicated guilty and sentenced to three years in prison followed by two years of sex offender probation.
Knight v. State, supra. 
Before we get into whether the trial judge erred in denying Knight’s motion to suppress, we need to know how the prosecution arose:
At the suppression hearing, Detective Camille Burban of the Neptune Beach Police Department testified that she had prior experience investigating sex crimes and child pornography as a member of the Internet Crimes Against Children (ICAC) Task Force for Northeast Florida. In 2009, she used a program called the Wyoming Tool Kit to search for people who were sharing known child pornography on peer-to-peer networks. . . .

Known child pornography consisted of files identified by the National Center for Missing and Exploited Children or the Wyoming ICAC Task Force as depicting real child victims. Just as every person had a fingerprint, every picture of known child pornography had an SHA value, which was recognized by the software Burban had running in her office.

When the program identified a peer-to-peer network trading an SHA value linked to known child pornography, it logged the IP address (the number identifying the location where the computer was hooked up to the Internet), the name of the file containing the known child pornography, and the date the file in question was shared. In this case, the program logged an IP address that was from Comcast with the latest sharing occurring on August 6, 2009. Burban subpoenaed Comcast and determined that the IP address was registered to a residence in Atlantic Beach.
Knight v. State, supra.
The court goes on to explain that Burban
then called Detective Chris Pegram of the Atlantic Beach Police Department and told him that she obtained a hit on her computer for a residence in Pegram's jurisdiction. When she asked if he wanted to give it to the ICAC Task Force for Northeast Florida or handle it himself, Pegram responded that he wanted the case, but asked for her assistance because the Atlantic Beach Police Department did not have the necessary training or experience.

At that time, there was a mutual aid agreement between both police departments. She and Detective Pegram began researching who lived at the address in question and applied for a search warrant. 

Burban believed there was probable cause to search the address because of the SHA value, which was similar to a digital fingerprint for the photograph. She downloaded the photograph to make sure it was child pornography and had not been deleted. She typed up the search warrant and presented it to the magistrate, who signed and issued it.

She, Detective Pegram, and other officers executed the search warrant on September 9, 2009. [Knight] and his seventeen-year-old stepson were present at the time. She explained to [Knight] that she was there to investigate a computer crime and needed to talk to each person in the house. [He] was absolutely cooperative.

She learned there were two computers in the house, a laptop for the family and a desktop computer in the bedroom. [Knight] confessed that he had downloaded child pornography onto the desktop computer in the bedroom. She took the desktop computer and left a copy of the warrant with [him].
Knight v. State, supra.
As noted above, Knight appealed the trial judge’s denying his motion to suppress “all evidence seized as a result of the extra-jurisdictional investigation and search of [Knight’s] home computer located in Atlantic Beach by Detective Camille Burban of the Neptune Beach Police Department.”  Knight v. State, supra.  In other words, Knight argued that Burban did not have authority to investigate him and search his home and computer because she was outside the territory in which she had jurisdiction to conduct such investigations.  Knight v. State, supra.
The Court of Appeals began its analysis of Knight’s argument by explaining that
[g]enerally, municipal law enforcement officers can exercise their law enforcement powers only within the territorial limits of the municipality. Nunn v. State,121 So.3d 566 (Florida Court of Appeals 2013); State v. Griffis, 502 So.2d 1356 (Florida Court of Appeals 1987). One exception allows an officer to act outside of his or her jurisdiction if the subject matter of the investigation originates inside city limits. Nunn v. State, supra. . . .  

Thus, the investigatory acts of an officer outside of his or her jurisdiction are not deemed unlawful if during the investigation the officer has a good faith belief that the crime occurred within his or her jurisdiction. Nunn v. State, supra. Another exception applies if the officer acts in accordance with a voluntary cooperation agreement pursuant to § 23.121, Florida Statutes, or an interlocal agreement to provide law enforcement services pursuant to § 166.0495, Florida StatutesJarrett v. State, 926 So.2d 429 (Florida Court of Appeals 2006). . . . When an officer unlawfully asserts official authority, either expressly or implicitly, to gain access to evidence, that evidence must be suppressed. State v. Phoenix, 428 So.2d 262 (Florida Court of Appeals 1982), approved, 455 So.2d 1024 (Florida Supreme Court 1984).
Knight v. State, supra.
In his appeal, Knight argued that
the trial court erred in denying his motion to suppress evidence obtained in Atlantic Beach as a result of the extra-jurisdictional investigation by Detective Burban of the Neptune Beach Police Department. Specifically, [he] claims Burban acted outside her territorial jurisdiction when she utilized a computer program available only to law enforcement to investigate the contents of [his] computer that was located outside the city limits of Neptune Beach.

However, the state correctly responds that Burban's investigation involved computer files [Knight] placed in folders that were shared over a peer-to-peer network. Because the child pornography present on [his] computer could be accessed over the Internet by way of [Knight’s] file-sharing program, [he] cannot argue that this portion of Burban's investigation was outside her territorial jurisdiction. In fact, Burban did not know whether the source of the child pornography being shared over the Internet was located inside or outside her territorial jurisdiction.
Knight v. State, supra.
The Court of Appeals did not buy Knight’s argument:
[O]nce Burban subpoenaed the Internet provider and determined the IP address was registered to a residence in Atlantic Beach, it became clear any further investigation was outside Burban's territorial jurisdiction unless one of the aforementioned exceptions applied. Burban recognized this when she contacted Detective Pegram of the Atlantic Beach Police Department, who asked for her assistance because the Atlantic Beach Police Department did not have the necessary training or experience.

At that time, there was a mutual aid agreement between both police departments. She and Detective Pegram then obtained a search warrant, which they and other officers executed on [Knight’s] residence. Although [he] claims the mutual aid agreement did not allow Burban to continue her investigation outside the limits of Neptune Beach where the subject matter of the investigation did not originate inside the city limits of Neptune Beach, [Knight’s] position rests on the questionable notion that his possession of child pornography was confined to the city limits of Atlantic Beach.

Because [he] placed the child pornography in a shared computer file that could be accessed over the Internet in neighboring Neptune Beach, Detective Pegram's investigation originated inside the city of limits of Neptune Beach, and the mutual aid agreement between the Neptune Beach and Atlantic Beach Police Departments allowed her to continue that investigation under the auspices of the Atlantic Beach Police Department. Accordingly, the trial court properly denied [Knight’s] motion to suppress.
Knight v. State, supra.  The Court of Appeals therefore affirmed Knight’s conviction and sentence.  Knight v. State, supra.